Establishing shared information in a network

ABSTRACT

A method for establishing shared information is described. The method includes estimating characteristics of a communication channel between two nodes based on signals transmitted between the nodes. The method also includes transmitting a signal from the first node to the second node, the signal being modulated with a first data sequence according to a first estimated characteristic, and transmitting a signal from the second node to the first node, the signal being modulated with a second data sequence according to a second estimated characteristic. Shared information is formed at each of the first and second nodes based on at least a portion of the first data sequence and at least a portion of the second data sequence.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.12/645,971, filed on Dec. 23, 2009, which is a continuation of U.S.application Ser. No. 11/484,542, filed on Jul. 10, 2006, which claimspriority to U.S. Provisional Application Ser. No. 60/780,132, filed onMar. 7, 2006, each of which is incorporated herein by reference.

TECHNICAL FIELD

Embodiments of the inventive subject matter generally relate to networkprotocols, and more particularly to establishing shared informationbetween nodes in a network.

BACKGROUND

Techniques for establishing secure communications in communicationsystems include various cryptography techniques including symmetriccryptography techniques based on “secret” information shared amongcommunicating entities (e.g., nodes or “stations” in a network). Theextent to which the shared information is secret determines the extentto which the communication is secure against potential eavesdropping. Insymmetric cryptography techniques, security between a transmittingstation and a receiving station in a communication network is based onprior existence of a shared secret (or “private”) key used to performencryption and decryption.

Other techniques include asymmetric (e.g., public-key) cryptographytechniques that do not necessarily require secret shared information. Inasymmetric cryptography techniques, stations can communicate securelywithout necessarily starting with a shared secret key. For example, inpublic-key cryptography, a “public key” and a “private key” pair areused. The public key can be sent over a communication channel betweencommunicating stations, or otherwise distributed to the “public”including a potential eavesdropper without compromising security. Theprivate key is kept secret and is only known to a receiver, and thusshould not be able to be (easily) derived from the public key. Theprivate key is mathematically related to the public key and can be usedto decrypt a message that has been encrypted with the public key.However, the public key cannot be used to decrypt the encrypted message.Thus, any station can securely send data to the receiver by using thepublic key to encrypt the data.

Various security protocols can use public-key cryptography to establishother forms of cryptography. For example, public-key cryptography can beused to securely establish shared information (e.g., a private key orinformation from which a private key can be derived) for use in asymmetric cryptographic algorithm.

In some security protocols, a user does not necessarily need toexplicitly provide an encryption key. In some cases, security protocolscan be initiated by detecting actions of a user, such as the pressing ofa button on respective devices. In some cases, devices are interfacedtogether to establish secret shared information, for example, byphysically touching the devices or using near-field communications.

Secret shared information can be established using a protocol thatrelies on characteristics of a physical communication channel. Forexample, a “secrecy capacity” between a transmitter and receiver isbased on a channel capacity to a potential eavesdropper compared to achannel capacity to the receiver. The secrecy capacity represents alimit on the rate at which secret information can be securely (withoutbeing deduced by an eavesdropper) communicated from the transmitter tothe receiver. For a certain class of channels, the secrecy capacity isthe difference between these channel capacities.

SUMMARY

The invention features a technique for establishing shared informationbetween two nodes based on adapting signals to a communication channelbetween two nodes, and forming shared information at each of the nodesbased on exchanged messages using the channel adaptation. We nowsummarize various aspects and features of the invention.

In one aspect, the invention features a method for establishing sharedinformation, and a corresponding communication node. The method includesestimating characteristics of a communication channel between two nodesbased on signals transmitted between the nodes; transmitting a signalfrom the first node to the second node, the signal being modulated witha first data sequence according to a first estimated characteristic;transmitting a signal from the second node to the first node, the signalbeing modulated with a second data sequence according to a secondestimated characteristic; and forming shared information at each of thefirst and second nodes based on at least a portion of the first datasequence and at least a portion of the second data sequence.

Implementations of the invention may incorporate one or more of thefollowing.

The first data sequence is randomly generated at the first node, and thesecond data sequence is randomly generated at the second node.

The data sequences are randomly generated to have a length between aminimum length and a maximum length.

Transmitting the signal from the first node to the second node comprisestransmitting a signal from the first node to the second node in responseto determining that a previously transmitted signal was not acknowledgedby the second node, each transmitted signal being modulated with adifferent data sequence according to the first estimated characteristic.

Each transmitted signal is modulated with a different randomly generateddata sequence.

The portion of the first data sequence and the portion of the seconddata sequence comprise portions of approximately equal length.

The portion of the first data sequence comprises a portion of length Lat the beginning of the first data sequence, and the portion of thesecond data sequence comprises a portion of length L at the end of thesecond data sequence.

Forming the shared information at each of the first and second nodescomprises, at each node: performing a predetermined function on theportion of the first data sequence; performing the predeterminedfunction on the portion of the second data sequence; and combining theresults of the predetermined functions to form the shared information.

Combining the results comprises concatenating the results.

The predetermined function comprises a hash function.

Forming the shared information at each of the first and second nodescomprises, at each node: combining the portion of the first datasequence and the portion of the second data sequence to form a combinedsequence; and performing a predetermined function on the combinedsequence to form the shared information.

Combining the portion of the first data sequence and the portion of thesecond data sequence comprises concatenating the portions.

The predetermined function comprises a hash function.

The first estimated characteristic comprises a characteristic of thecommunication channel associated with transmission from the first nodeto the second node, and the second estimated characteristic comprises acharacteristic of the communication channel associated withcommunication from the second node to the first node.

Estimating characteristics of a communication channel between the twonodes comprises estimating characteristics associated with a pluralityof carriers having different carrier frequencies associated with thechannel.

The signal from the first node to the second node and the signal fromthe second node to the first node each includes a plurality of carriers,at least some of which are modulated according to estimatedcharacteristics associated with the respective carriers.

The carriers comprise orthogonal frequency division multiplexing (OFDM)carriers.

Estimating characteristics of the communication channel comprisesestimating the first estimated characteristic at the second node basedon a predetermined signal transmitted from the first node.

The first estimated characteristic comprises an estimate of asignal-to-noise ratio associated with the received predetermined signal.

The first estimated characteristic comprises an estimate of a bit errorrate associated with the received predetermined signal.

The method further comprises transmitting modulation information basedon the first estimated characteristic from the second node to the firstnode.

The signal modulated with the first data sequence is modulated based onthe received modulation information.

The modulation is selected to achieve a data rate that is higher than90% of a data rate limit associated with the first estimatedcharacteristic.

The modulation information comprises a map that designates a type ofmodulation that is to be used, respectively, on each of multiplecarriers in a signal.

The type of modulation indicates a constellation for phase and/oramplitude modulation.

The carriers comprise orthogonal frequency division multiplexing (OFDM)carriers.

The modulation information comprises a forward error correction coderate.

The modulation information comprises a guard interval length betweenmodulated symbols.

The predetermined signal transmitted from the first node includes one ormore symbols known to the second node from which the second nodeestimates the first estimated characteristic.

The first node repeatedly transmits the predetermined signal untilreceiving a response from second node.

The predetermined signal transmitted from the first node is modulatedbased on default modulation information.

The communication channel comprises a path between the nodes over ashared medium.

The shared medium comprises a wired communication medium.

The shared medium comprises an alternating current (AC) power linenetwork.

The communication channel has at least one varying channelcharacteristic that varies approximately periodically.

The varying channel characteristic comprises noise that varies accordingto an alternating current (AC) power line waveform.

The varying channel characteristic comprises a frequency response thatvaries according to an alternating current (AC) power line waveform.

The method further comprises estimating the characteristics of thecommunication channel based on signals transmitted in associated phaseregions of the periodically varying channel characteristic.

The signal modulated with the first data sequence is transmitted in aphase region of the periodically varying channel characteristiccorresponding to the phase region associated with the first estimatedcharacteristic.

The signal modulated with the second data sequence is transmitted in aphase region of the periodically varying channel characteristiccorresponding to the phase region associated with the second estimatedcharacteristic.

Among the many advantages of the invention (some of which may beachieved only in some of its various aspects and implementations) arethe following.

Shared information can be established and used to form secure logicalnetworks within a larger network. For example, in a power-linecommunication network, a consumer buying a device (e.g., a video device)is able to simply plug the device into a power outlet, and the devicecan join a logical network without the need for connecting additionalphysical wiring to the device. Many customers live in apartments andother buildings that share power lines, and so signals can crossproperty boundaries just as wireless signals can. There may be otherboundaries at an even finer granularity. For example, students occupyinga shared house might want to have one network each, and adolescentsmight want bedroom networks distinct from the general network in theirparents' house. The communication protocol used by network interfacemodules 106 is able to support multiple virtual networks and is able toprovide various forms of security for the networks.

In some situations, power-line networks can become unmanageably large.If all the devices in a large apartment block are allowed to assemblethemselves into a single network, the performance can dropsignificantly. Thus, networks may be partitioned into logical networksfor performance reasons, even if security is not an issue.

A technique for exchanging a key relies on aspects of signal processingto provide security without necessarily requiring public-keycryptography. For example, an “adapted exchange” technique relies onchannel characteristics such as the path-specific frequency selectivefading in power-line channels, such that a potential eavesdropper in aneighboring residence is likely to have poorer reception of a station ina residence than other stations in the same residence. In cases in whichthe channel adaptation mechanism is relatively aggressive in nearing theShannon limit, an eavesdropper may not receive a signal with a highenough signal-to-noise ratio to be able to recover information from thesignal without error.

The adapted exchange technique provides a simplified way for a user toset up a network in a secure way, without needing to generate ormaintain keys or passwords manually. An adapted exchange protocol can beone of multiple protocols available to a user as different modes forestablishing security. A security mode associated with a station can beset by the user, for example, based on the ease of use and the user'sperceived need for security and/or privacy. In some cases, a user maywish to use a more secure protocol instead of, or in combination with,the adapted exchange protocol.

In an example of the adapted exchange technique, a pair of stationsadapt signals to characteristics of the channel to send each otherpartial keys, which are concatenated and hashed to produce a temporaryencryption key that both may then use. An eavesdropper would need toknow the way in which the signals are adapted to the channel (e.g., tonemaps used in both directions) and correctly demodulate the signals inorder to obtain the partial keys. Even if a potential eavesdropper wereable to measure which of the tone maps was in use on a particular link,demodulation by a station other than the intended recipient would bedifficult due to the mismatch in channel characteristics. Even if aneavesdropper were able to correctly demodulate most of the bits of thepartial keys and correct some errors, since a hash function is performedon the partial keys every uncertain bit in the partial keys doubles theeavesdropper's search space of possible encryption keys, since the hashvalue depends on every bit of input in an unpredictable fashion. Thus,the eavesdropper would need to correctly guess values for all of theremaining uncertain bits to obtain the encryption key.

Unless otherwise defined, all technical and scientific terms used hereinhave the same meaning as commonly understood by one of ordinary skill inthe art to which this invention belongs. Although methods and materialssimilar or equivalent to those described herein can be used in thepractice or testing of the present invention, suitable methods andmaterials are described below. All publications, patent applications,patents, and other references mentioned herein are incorporated byreference in their entirety. In case of conflict, the presentspecification, including definitions, will control. In addition, thematerials, methods, and examples are illustrative only and not intendedto be limiting.

As used herein, a “randomly generated” number or sequence of digits orcharacters includes a number or sequence generated using techniques togenerate random or pseudorandom numbers.

Other features and advantages of the invention will be found in thedetailed description, drawings, and claims.

DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic diagram of a network configuration.

FIG. 2 is a block diagram of a communication system.

DESCRIPTION OF EMBODIMENT(S)

There are a great many possible implementations of the invention, toomany to describe herein. Some possible implementations that arepresently preferred are described below. It cannot be emphasized toostrongly, however, that these are descriptions of implementations of theinvention, and not descriptions of the invention, which is not limitedto the detailed implementations described in this section but isdescribed in broader terms in the claims.

System Overview

As shown in FIG. 1, a network configuration 100 provides a sharedcommunication medium 110 for a number of communication stations102A-102E (e.g., computing devices, or audiovisual devices) tocommunicate with each other. The communication medium 110 can includeone or more types of physical communication media such as coaxial cable,unshielded twisted pair, or power lines, for example. The networkconfiguration 100 can also includes devices such as bridges orrepeaters. The communication stations 102A-102E communicate with eachother using predetermined physical (PHY) layer and medium access control(MAC) layer communication protocols used by network interface modules106. The MAC layer is a sub-layer of the data link layer and provides aninterface to the PHY layer, according to the Open SystemsInterconnection (OSI) network architecture standard. The networkconfiguration 100 can have any of a variety of network topologies (e.g.,bus, tree, star, mesh).

The stations use the adapted exchange technique for establishing sharedinformation between a given pair of stations for use in securecommunications. The adapted exchange technique is based on adaptingsignals to a communication channel between two nodes, and forming sharedinformation at each of the nodes based on exchanged messages using thechannel adaptation (e.g., transmission parameters such as type ofmodulation used on signal carriers, and corresponding bit loading). Insome cases, the channel adaptation provides the highest data rate thatcan be achieved on the channel for a given tolerable bit error rate. Byselecting the channel adaptation in this manner, it becomes less likelythat the signals can be correctly received and demodulated by otherstations (e.g., potential eavesdroppers). The adapted exchange techniquealso includes estimating characteristics of the communication channelbased on signals transmitted between the nodes, and forming sharedinformation at each of the nodes based on exchanged data sequences thathave been modulated according to the estimated characteristics. The datasequences can be randomly generated, for example, using techniques thatuse a procedure or function to realize or approximate a desiredstatistical distribution, such as a pseudorandom number generationfunction.

In some implementations, the network interface modules 106 use protocolsthat include features to improve performance when the networkconfiguration 100 includes a communication medium 110 that exhibitsvarying transmission characteristics. For example, the communicationmedium 110 may include AC power lines in a house, optionally coupled toother media (e.g., coaxial cable lines).

Power-line communication systems use existing AC wiring to exchangeinformation. Owing to their being designed for much lower frequencytransmissions, AC wiring provides varying channel characteristics at thehigher frequencies used for data transmission (e.g., depending on thewiring used and the actual layout). To increase the data rate betweenvarious links, stations adjust their transmission parametersdynamically. This process is called channel adaptation. Channeladaptation results in adaptation information specifying a set oftransmission parameters that can be used on each link. Adaptationinformation includes such parameters as the frequencies used, theirmodulation, and the forward error correction (FEC) used.

The communication channel between any two stations provided by thecommunication medium 110 may exhibit varying channel characteristicssuch as periodic variation in noise characteristics and frequencyresponse. To improve performance and QoS stability in the presence ofvarying channel characteristics, the stations can synchronize channeladaptation with the frequency of the AC line (e.g., 50 or 60 Hz). Thereare typically variations in the phase and frequency of the AC line cyclefrom the power generating plant and local noise and load changes. Thissynchronization enables the stations to use consistent channeladaptation optimized for a particular phase region of the AC line cycle.An example of such synchronization is described in U.S. patentapplication Ser. No. 11/337,946, incorporated herein by reference.

Another aspect of mitigating potential impairments caused by the varyingchannel characteristics involves using a robust signal modulation formatsuch as orthogonal frequency division multiplexing (OFDM), also known asDiscrete Multi Tone (DMT). OFDM is a spread spectrum signal modulationtechnique in which the available bandwidth is subdivided into a numberof narrowband, low data rate channels or “carriers.” To obtain highspectral efficiency, the spectra of the carriers are overlapping andorthogonal to each other. Data are transmitted in the form of symbolsthat have a predetermined duration and encompass some number ofcarriers. The data transmitted on these carriers can be modulated inamplitude and/or phase, using modulation schemes such as Binary PhaseShift Key (BPSK), Quadrature Phase Shift Key (QPSK), or m-bit QuadratureAmplitude Modulation (m-QAM).

Some communication networks use a “central coordinator” (CCo) stationthat is selected to provide certain coordination functions for at leastsome of the other stations in the network configuration 100. A set ofstations operating under the coordination of a single CCo is called aBasic Service Set (BSS). Functions performed by the CCo can include:authentication of stations upon joining the BSS, provisioning ofidentifiers for stations, and scheduling and timing of medium access.For example, the CCo broadcasts a repeated beacon transmission fromwhich the stations in the BSS can determine scheduling and timinginformation. This beacon transmission includes fields that carryinformation used by the stations to coordinate communication. Though theformat of each of the repeated beacon transmission is similar, thecontent typically changes in each transmission. The beacon transmissionis repeated approximately periodically, and, in some implementations, issynchronized to a characteristic of the communication medium 110. Insome cases, a Proxy Coordinator (PCo) can be used to manage stationsthat are “hidden” from the CCo (e.g., stations that do not reliablyreceive signals from the CCo).

There may be differences in the access techniques implemented bydifferent MAC protocols. For example, a MAC protocol can use a carriersense multiple access with collision avoidance (CSMA/CA) technique toaccess the network configuration 100. Another MAC protocol uses a timedivision multiple access (TDMA) technique. Some MAC protocols include acontention-free period (CFP) in which a TDMA technique is used, and alsoinclude a contention period (CP) in which a CSMA/CA technique is used.The contention-free period is scheduled and managed by the CCo toprovide improved quality of service (QoS) for certain applications runon a device (e.g., audio and/or video applications). Other MAC protocolscan use any one or combination of these or other access techniques.

PHY Layer Communication System Architecture

Any of a variety of communication system architectures can be used toimplement the portion of the network interface module 106 that convertsdata to and from a signal waveform that is transmitted over thecommunication medium. An application running on a station provides andreceives data to and from the network interface module 106 in segments.A “MAC Protocol Data Unit” (MPDU) is a segment of information includingoverhead and payload fields that the MAC layer has asked the PHY layerto transport. An MPDU can have any of a variety of formats based on thetype of data being transmitted. A “PHY Protocol Data Unit (PPDU)” refersto the modulated signal waveform representing an MPDU that istransmitted over the power line.

In OFDM modulation, data are transmitted in the form of OFDM “symbols.”Each symbol has a predetermined time duration or symbol time T_(s). Eachsymbol is generated from a superposition of N sinusoidal carrierwaveforms that are orthogonal to each other and form the OFDM carriers.Each carrier has a peak frequency f_(i) and a phase Φ_(i) measured fromthe beginning of the symbol. For each of these mutually orthogonalcarriers, a whole number of periods of the sinusoidal waveform iscontained within the symbol time T_(s). Equivalently, each carrierfrequency is an integral multiple of a frequency interval Δf=1/T_(s).The phases Φ_(i) and amplitudes A_(i) of the carrier waveforms can beindependently selected (according to an appropriate modulation scheme)without affecting the orthogonality of the resulting modulatedwaveforms. The carriers occupy a frequency range between frequencies f₁and f_(N) referred to as the OFDM bandwidth.

Referring to FIG. 2, a communication system 200 includes a transmitter202 for transmitting a signal (e.g., a sequence of OFDM symbols) over acommunication medium 204 to a receiver 206. The transmitter 202 andreceiver 206 can both be incorporated into a network interface module106 at each station. The communication medium 204 can represent a pathfrom one device to another over the power line network.

At the transmitter 202, modules implementing the PHY layer receive anMPDU from the MAC layer. The MPDU is sent to an encoder module 220 toperform processing such as scrambling, error correction coding andinterleaving.

The encoded data is fed into a mapping module 222 that takes groups ofdata bits (e.g., 1, 2, 3, 4, 6, 8, or 10 bits), depending on theconstellation used for the current symbol (e.g., a BPSK, QPSK, 8-QAM,16-QAM constellation), and maps the data value represented by those bitsonto the corresponding amplitudes of in-phase (I) and quadrature-phase(Q) components of a carrier waveform of the current symbol. This resultsin each data value being associated with a corresponding complex numberC_(i)=A_(i) exp(jΦ_(i)) whose real part corresponds to the I componentand whose imaginary part corresponds to the Q component of a carrierwith peak frequency f_(i). Alternatively, any appropriate modulationscheme that associates data values to modulated carrier waveforms can beused.

The mapping module 222 also determines which of the carrier frequenciesf₁, . . . , f_(N) within the OFDM bandwidth are used by the system 200to transmit information. For example, some carriers that areexperiencing fades can be avoided, and no information is transmitted onthose carriers. Instead, the mapping module 222 uses coherent BPSKmodulated with a binary value from the Pseudo Noise (PN) sequence forthat carrier. For some carriers (e.g., a carrier i=10) that correspondto restricted bands (e.g., an amateur radio band) on a medium 204 thatmay radiate power no energy is transmitted on those carriers (e.g.,A₁₀=0). The mapping module 222 also determines the type of modulation tobe used on each of the carriers (or “tones”) according to a “tone map.”The tone map can be a default tone map, or a customized tone mapdetermined by the receiving station that has been adapted tocharacteristics of the communication medium 204 (e.g., for use withadapted exchange techniques).

An inverse discrete Fourier transform (IDFT) module 224 performs themodulation of the resulting set of N complex numbers (some of which maybe zero for unused carriers) determined by the mapping module 222 onto Northogonal carrier waveforms having peak frequencies f₁, . . . , f_(N).The modulated carriers are combined by IDFT module 224 to form adiscrete time symbol waveform S(n) (for a sampling rate f_(R)), whichcan be written as

$\begin{matrix}{{S(n)} = {\sum\limits_{i = 1}^{N}{A_{i}{\exp\left\lbrack {j\left( {{2\;\pi\;{{in}/N}} + \Phi_{i}} \right)} \right\rbrack}}}} & {{Eq}.(1)}\end{matrix}$where the time index n goes from 1 to N, Ai is the amplitude and Φ_(i)is the phase of the carrier with peak frequency f_(i)=(i/N)f_(R), andj=√−1. In some implementations, the discrete Fourier transformcorresponds to a fast Fourier transform (FFT) in which N is a power of2.

A post-processing module 226 combines a sequence of consecutive(potentially overlapping) symbols into a “symbol set” that can betransmitted as a continuous block over the communication medium 204. Thepost-processing module 226 prepends a preamble to the symbol set thatcan be used for automatic gain control (AGC) and symbol timingsynchronization. To mitigate intersymbol and intercarrier interference(e.g., due to imperfections in the system 200 and/or the communicationmedium 204) the post-processing module 226 can extend each symbol with acyclic prefix that is a copy of the last part of the symbol. Thepost-processing module 226 can also perform other functions such asapplying a pulse shaping window to subsets of symbols within the symbolset (e.g., using a raised cosine window or other type of pulse shapingwindow) and overlapping the symbol subsets.

An Analog Front End (AFE) module 228 couples an analog signal containinga continuous-time (e.g., low-pass filtered) version of the symbol set tothe communication medium 204. The effect of the transmission of thecontinuous-time version of the waveform S(t) over the communicationmedium 204 can be represented by convolution with a function g(τ;t)representing an impulse response of transmission over the communicationmedium. The communication medium 204 may add noise n(t), which may berandom noise and/or narrowband noise emitted by a jammer.

At the receiver 206, modules implementing the PHY layer receive a signalfrom the communication medium 204 and generate an MPDU for the MAClayer. An AFE module 230 operates in conjunction with an Automatic GainControl (AGC) module 232 and a time synchronization module 234 toprovide sampled signal data and timing information to a discrete Fouriertransform (DFT) module 236.

After removing the cyclic prefix, the receiver 206 feeds the sampleddiscrete-time symbols into DFT module 236 to extract the sequence of Ncomplex numbers representing the encoded data values (by performing anN-point DFT). Demodulator/Decoder module 238 maps the complex numbersonto the corresponding bit sequences and performs the appropriatedecoding of the bits (including deinterleaving and descrambling).

Any of the modules of the communication system 200 including modules inthe transmitter 202 or receiver 206 can be implemented in hardware,software, or a combination of hardware and software.

Channel Estimation and Adaptation

Channel estimation is the process of measuring the characteristics ofthe communication medium to adapt the operation of the PHY layer toprovide improved performance.

Adapting to the estimated characteristics can include:

-   -   Selection of the tone map designating modulation method(s) to be        used on each carrier. Any given carrier may use different        modulations at different times within the beacon period.    -   Selection of the FEC rate.    -   Selection of the guard interval length.    -   Selection of the intervals within the beacon period where a        particular tone map, FEC rate, and guard interval setting        applies.

For a power-line communication medium, the FEC rate and guard intervallength can vary over the AC line cycle period, but they are the same forall carriers at any given time.

In cases in which a CCo is used, the results of channel estimation canbe reported to the CCo for use in allocating time slots in the CFP. TheCCo can allocate time for communication between a transmitting andreceiving station to perform channel estimation. The CCo can then usethis channel estimation information in determining or updating theschedule of time slots allocated to stations in the CFP.

The channel-estimation procedures may differ slightly between the CP andthe CFP. In the CP, the receiving station can designate a default ToneMap that may be used by the transmitting station anywhere in the CP. Thereceiving station may optionally define additional Tone Maps that may beused in the CP during particular intervals of the beacon period. Thisapproach allows the transmitting station to begin communicating usingTone Map modulated data quickly, and avoids complicated interactionsbetween the CSMA access procedure and the channel-estimation proceduresfor the CP. This approach is well suited to the transport of best effortdata. Alternatively, the receiving station can designate intervalswithin a beacon period over which particular channel adaptation applieswithout taking into account whether a transmission is within the CP orthe CFP.

Before data communication occurs in the CFP, the receiving stationdefines a tone map that is valid in the interval of the beacon periodwhere the transmission is scheduled. If no valid tone map is defined inan interval, the transmitting station sends a “SOUND MPDU” in theinterval until the receiving station defines a tone map that for theinterval. The SOUND MPDU includes a signal known to the receivingstation from which the receiving station can estimate characteristics ofthe channel. The receiving station defines a tone map in which themodulation for a carrier is tailored to the characteristics of thechannel at that carrier frequency. In addition to channelcharacteristics, the receiving station can also define a tone map basedon a type of data to be transmitted (e.g., more robust modulation forapplications more sensitive to data loss). The tone map is sent to thetransmitting station in a channel estimation response (CER) message.

Alternatively, if no valid tone map is defined in an interval, thetransmitting station can use a default tone map that has enoughredundancy to be successfully transmitted assuming worst case channelcharacteristics. This default tone map may be more appropriate if thetransmitting station only has a relatively small amount of data to send.The default tone map can also be used to broadcast information tomultiple stations. However, the default tone map is not used for adaptedexchange to establish shared information since the adapted exchangetechnique relies on security benefits provided by signals whosemodulation has been adapted to estimated channel characteristics.

The channel-estimation procedures also include mechanisms formaintaining the lists of the intervals within the beacon period whereeach tone map may be used. Tone map intervals are defined as timeperiods within the beacon period where a particular tone map may beused. Since the CCo locks the beacon period to the AC line cycle,intervals are synchronized to the AC line cycle.

The receiving station specifies the intervals within which various tonemaps may be used, subject to certain guidelines, which may include anyof the following:

-   -   The CP default tone map may be used anywhere in the contention        period.    -   With the exception of default tone map, intervals are disjoint        (non-overlapping).    -   The transmitter may not transmit PPDUs with the PPDU Payload        crossing the boundary between intervals using different tone        maps.    -   The receiver specifies intervals that are large enough to carry        a complete PPDU, based on the indicated tone map.    -   The current intervals definition is carried in the CER message.    -   The current intervals definition becomes stale if a period of 30        seconds has elapsed since the last CER message was received from        the receiving station.        Adapted Exchange

A station can use the adapted exchange technique for establishing sharedinformation with another station based on the results of channelestimation in both directions. The tone maps adaptively selected foreach direction according to the estimated channel characteristicsprovide a certain degree of security. In some cases, different tone mapsare also selected for different virtual links between the pair ofstations.

The established shared information can be used as, or used to compute, aTemporary Encryption Key (TEK) that is used to encrypt messages on atemporary private channel between the two stations. The TEK can be anAES encryption key, for example. To increase the level of security,stations can be configured to discard the TEK, after a predeterminedamount of time, or after some other predetermined event.

In an exemplary adapted exchange key distribution protocol, two stationsparticipating in the protocol (station A and station B) receive somepositive indication from a user (e.g., a press of a button on each ofthe respective stations within a given time interval) that the stationsare to join the same logical network (e.g., a BSS). In some cases, onestation is already associated with a logical network (e.g., a CCostation), and the other station is joining as a new member of thenetwork. If neither station is associated with a logical network, thestations may form a new logical network. The first station to send amessage in the protocol is called the “initiator” and the other stationis called the “respondent.”

The two stations then perform channel estimation and adaptation toestablish an adapted tone map for modulating signals from station A tostation B, and an adapted tone map for modulating signals from station Bto station A. Before the adapted tone maps have been determined, thestations use a default tone map to exchange initial (unsecure) messagesin the protocol. The default tone map is designed to work even in thepresence of channel impairments such as fading or low signal-to-noiseratio.

After the adapted tone maps have been determined, each station transmitsa secret “partial key” to the other station using a signal modulatedaccording to the adapted tone map. The partial keys are stringsgenerated by a pseudorandom number generator. In some protocols, thepseudorandom number generator is configured to generate partial keysthat have a variable length between a minimum length (e.g., 64 octets)and a maximum length (e.g., 384 octets). In other protocols, thepseudorandom number generator is configured to generate partial keysthat have a fixed length (e.g., 384 octets). The exchanged partial keysare not encrypted, but there are many possible adapted tone maps thatcould potentially be used, and a potential eavesdropper would not beable to properly demodulate the signal without knowing which tone map touse.

The partial keys can be transmitted with an acknowledgement protocolthat includes transmitting a signal from a first station to a secondstation with a new partial key in response to determining that apreviously transmitted signal carrying a partial key was notacknowledged by the second station. If the first station does notreceive an acknowledgment from the second station that the partial keywas properly received (e.g., received without error), then the firststation transmits a different randomly generated partial key modulatedaccording to the adapted tone map. By not retransmitting a givenrandomly generated partial key (or by limiting the number of times agiven partial key can be retransmitted) a potential eavesdropper wouldnot be able to take advantage of many transmissions of the same key tocorrect errors due to an incompatible tone map.

For example, a tone map can specify modulation rates (number of bits persymbol) for each of multiple (e.g., hundreds) of carriers, along withother parameters such as the forward error correction coding rate, andthe guard interval duration. Even if a potential eavesdropper were ableto measure which of the tone maps was in use on a particular link, thetransmission rate for each carrier is adapted to be close to the maximumrate possible given the signal-to-noise ratio (e.g., within 75%, 90%, or95% of a data rate limit such as the Shannon channel capacity associatedwith an estimated signal-to-noise-ratio). Thus, interception of the datapayload (the partial key) is a significant challenge since aneavesdropper may not be able to support the data rate determined by thetone map (e.g., the eavesdropper may have a high bit error rate due to alower signal-to-noise ratio on at least some of the carriers).

At each station the two partial keys (the partial key generated at thestation and the partial key received from the other station) arecombined in a predetermined way to yield a combined key. A predeterminedfunction, such as a hash function, is performed on the combined key toproduce a shared TEK. For example, the first octet of the partial keyprovided by the initiator is the first octet of the combined key, andthe last octet of the partial key provided by the respondent is the lastoctet of the combined key. Alternatively, a hash function can beperformed on each partial key before they are combined in apredetermined way to form the TEK. If one or both stations do notproperly receive the partial key from the other station, a new partialkey is generated and transmitted.

After both stations have derived the TEK from the partial keys, thestations can proceed to participate in further protocols to establishsecure communications and are able to send encrypted information (e.g.,private keys for other security protocols) using the TEK to encrypt anddecrypt the information (e.g., in a symmetric cryptography protocol).For example, a station that is already a member of a logical network cansend a joining station a Network Membership Key (NMK) encrypted with theTEK. The new station can then use the NMK to decrypt a NetworkEncryption Key (NEK) sent from the CCo station. The NEK is used toencrypt and decrypt data payloads (e.g., using 128-bit AES CBCencryption). The CCo station may periodically distribute a new NEK toeach station, which is encrypted using the NMK.

The adapted exchange protocol is simple from the perspective of theuser. The user confirms entry of a new station into a network, forexample, by pressing a button or responding affirmatively to a prompt,but the user is not necessarily required to perform more complex taskssuch as generating a password. For example, the technique does notrequire a user to enter a password, or to receive an automaticallygenerated password.

Many other implementations of the invention other than those describedabove are within the invention, which is defined by the followingclaims.

What is claimed is:
 1. A method for establishing shared information, themethod comprising: determining a first estimated characteristic of acommunication channel between a first node and a second node based, atleast in part, on at least one initial signal transmitted from the firstnode to the second node; transmitting a first signal from the first nodeto the second node, wherein at least a portion of the first signal ismodulated with a first data sequence generated at the first nodeaccording to the first estimated characteristic; receiving a secondsignal at the first node from the second node, wherein at least aportion of the second signal is modulated with a second data sequencegenerated at the second node according to a second estimatedcharacteristic of the communication channel, wherein the secondestimated characteristic is determined based, at least in part, on atleast one initial signal transmitted from the second node to the firstnode; and determining shared information at the first node based, atleast in part, on at least a portion of the first data sequence and atleast a portion of the second data sequence.
 2. The method of claim 1,wherein the first data sequence is randomly generated at the first node,and the second data sequence is randomly generated at the second node.3. The method of claim 1, wherein the first data sequence and the seconddata sequence are each randomly generated to have a length between aminimum length and a maximum length.
 4. The method of claim 1, whereinsaid transmitting the first signal comprises transmitting the firstsignal from the first node to the second node, in response todetermining that a previously transmitted signal was not acknowledged bythe second node, wherein the first signal and the previously transmittedsignal are each modulated with a different data sequence according tothe first estimated characteristic.
 5. The method of claim 4, whereinthe first signal and the previously transmitted signal are eachmodulated with a different randomly generated data sequence.
 6. Themethod of claim 1, wherein the portion of the first data sequence andthe portion of the second data sequence include portions ofapproximately equal length.
 7. The method of claim 6, wherein theportion of the first data sequence includes a portion at a beginning ofthe first data sequence, and the portion of the second data sequenceincludes a portion at an end of the second data sequence.
 8. The methodof claim 1, wherein said determining the shared information at the firstnode comprises: performing a predetermined function on the portion ofthe first data sequence to yield a first result; performing thepredetermined function on the portion of the second data sequence toyield a second result; and combining the first result and the secondresult to yield the shared information.
 9. The method of claim 8,wherein said combining the first result and the second result comprisesconcatenating the first result and the second result.
 10. The method ofclaim 8, wherein the predetermined function includes a hash function.11. The method of claim 1, wherein said determining the sharedinformation at the first node comprises: combining the portion of thefirst data sequence and the portion of the second data sequence to yielda combined sequence; and performing a predetermined function on thecombined sequence to yield the shared information.
 12. The method ofclaim 11, wherein said combining the portion of the first data sequenceand the portion of the second data sequence comprises concatenating theportion of the first data sequence and the portion of the second datasequence.
 13. The method of claim 11, wherein the predetermined functionincludes a hash function.
 14. The method of claim 1, wherein the firstestimated characteristic includes a characteristic of the communicationchannel associated with transmission from the first node to the secondnode, and the second estimated characteristic includes a characteristicof the communication channel associated with communication from thesecond node to the first node.
 15. The method of claim 1, wherein saiddetermining the first estimated characteristic comprises estimatingcharacteristics associated with a plurality of carriers having differentcarrier frequencies associated with the communication channel.
 16. Themethod of claim 1, wherein the first signal and the second signal eachincludes a plurality of carriers, wherein at least some of the pluralityof carriers are modulated according to estimated characteristicsassociated with respective carriers.
 17. The method of claim 15, whereinthe carriers include orthogonal frequency division multiplexing (OFDM)carriers.
 18. The method of claim 1, wherein said determining the firstestimated characteristic comprises: receiving modulation informationfrom the second node based, at least in part, on the first estimatedcharacteristic; and determining the first estimated characteristic atthe first node based, at least in part, on the modulation information.19. The method of claim 18, wherein the first estimated characteristicincludes an estimate of a signal-to-noise ratio associated with the atleast one initial signal transmitted from the first node to the secondnode.
 20. The method of claim 18, wherein the first estimatedcharacteristic includes an estimate of a bit error rate associated withthe at least one initial signal transmitted from the first node to thesecond node.
 21. The method of claim 18, wherein the modulationinformation is transmitted from the second node to the first node, inresponse to the second node determining the first estimatedcharacteristic based at least in part, on the at least one initialsignal transmitted from the first node to the second node.
 22. Themethod of claim 18, wherein the first signal is modulated with the firstdata sequence based, at least in part, on the modulation informationreceived from the second node.
 23. The method of claim 22, wherein themodulation information is selected to achieve a data rate that is higherthan 90% of a data rate limit associated with the first estimatedcharacteristic.
 24. The method of claim 22, wherein the modulationinformation includes a map that designates a type of modulation that isto be used on each of multiple carriers in the first signal.
 25. Themethod of claim 24, wherein the type of modulation indicates aconstellation for at least one of phase modulation and amplitudemodulation.
 26. The method of claim 24, wherein the multiple carriersinclude orthogonal frequency division multiplexing (OFDM) carriers. 27.The method of claim 18, wherein the modulation information includes aforward error correction code rate.
 28. The method of claim 18, whereinthe modulation information includes a guard interval length betweenmodulated symbols.
 29. The method of claim 18, wherein each initialsignal transmitted from the first node to the second node includes atleast one symbol known to the second node from which the second nodeestimates the first estimated characteristic.
 30. The method of claim29, wherein the first node repeatedly transmits the at least one initialsignal until receiving a response from the second node.
 31. The methodof claim 18, wherein the at least one initial signal transmitted fromthe first node to the second node is modulated based, at least in part,on default modulation information.
 32. The method of claim 1, whereinthe communication channel includes a path between the first node and thesecond node over a shared medium.
 33. The method of claim 32, whereinthe shared medium includes a wired communication medium.
 34. The methodof claim 32, wherein the shared medium includes an alternating current(AC) power line network.
 35. The method of claim 1, wherein thecommunication channel is associated with at least one varying channelcharacteristic that varies approximately periodically.
 36. The method ofclaim 35, wherein the varying channel characteristic includes noise thatvaries according to an alternating current (AC) power line waveform. 37.The method of claim 35, wherein the varying channel characteristicincludes a frequency response that varies according to an alternatingcurrent (AC) power line waveform.
 38. The method of claim 35, furthercomprising estimating the first estimated characteristic of thecommunication channel based, at least in part, on the at least oneinitial signal transmitted in associated phase regions of theperiodically varying channel characteristic.
 39. The method of claim 38,wherein said transmitting the first signal from the first node to thesecond node comprises: modulating the first signal with the first datasequence; and transmitting the first signal in a phase region of theperiodically varying channel characteristic corresponding to a phaseregion associated with the first estimated characteristic.
 40. Themethod of claim 39, wherein the second signal that is received at thefirst node from the second node is modulated with the second datasequence and is transmitted in a phase region of the periodicallyvarying channel characteristic corresponding to a phase regionassociated with the second estimated characteristic.
 41. The method ofclaim 1, further comprising: generating the first data sequence at thefirst node without using an encryption key.
 42. The method of claim 1,wherein the second data sequence is generated at the second node withoutusing an encryption key.
 43. The method of claim 1, wherein the sharedinformation includes an encryption key.
 44. The method of claim 1,wherein the first data sequence is not encrypted before the first signalis modulated with the first data sequence.
 45. The method of claim 1,wherein the second data sequence is not encrypted before the secondsignal is modulated with the second data sequence by the second node.46. The method of claim 44, wherein the shared information includes anencryption key.
 47. The method of claim 1, further comprising:transmitting a third signal from the first node to the second node,wherein at least a portion of the third signal is modulated with a thirddata sequence derived, at least in part, from at least the portion ofthe first data sequence and at least the portion of the second datasequence; wherein said determining the shared information comprisesdetermining the shared information at the first node based, at least inpart, on at least a portion of the third data sequence.
 48. Anon-transitory machine-readable storage medium having instructionsstored therein, which when executed by a processor causes the processorto perform operations that comprise: determining a first estimatedcharacteristic of a communication channel between a first node and asecond node based, at least in part, on at least one initial signaltransmitted from the first node to the second node; transmitting a firstsignal from the first node to the second node, wherein at least aportion of the first signal is modulated with a first data sequencegenerated at the first node according to the first estimatedcharacteristic; receiving a second signal at the first node from thesecond node, wherein at least a portion of the second signal ismodulated with a second data sequence generated at the second nodeaccording to a second estimated characteristic of the communicationchannel, wherein the second estimated characteristic is determinedbased, at least in part, on at least one initial signal transmitted fromthe second node to the first node; and determining shared information atthe first node based, at least in part, on at least a portion of thefirst data sequence and at least a portion of the second data sequence.49. The non-transitory machine-readable storage medium of claim 48,wherein the first data sequence is randomly generated at the first node,and the second data sequence is randomly generated at the second node.50. The non-transitory machine-readable storage medium of claim 48,wherein said operation of transmitting the first signal comprisestransmitting the first signal from the first node to the second node, inresponse to determining that a previously transmitted signal was notacknowledged by the second node, wherein the first signal and thepreviously transmitted signal are each modulated with a different datasequence according to the first estimated characteristic.
 51. Thenon-transitory machine-readable storage medium of claim 48, wherein saidoperation of determining the shared information at the first nodecomprises: performing a predetermined function on the portion of thefirst data sequence to yield a first result; performing thepredetermined function on the portion of the second data sequence toyield a second result; and combining the first result and the secondresult to yield the shared information.
 52. The non-transitorymachine-readable storage medium of claim 48, wherein said operation ofdetermining the shared information at the first node comprises:combining the portion of the first data sequence and the portion of thesecond data sequence to yield a combined sequence; and performing apredetermined function on the combined sequence to yield the sharedinformation.
 53. The non-transitory machine-readable storage medium ofclaim 48, wherein said operation of determining the first estimatedcharacteristic comprises estimating characteristics associated with aplurality of carriers having different carrier frequencies associatedwith the communication channel.
 54. The non-transitory machine-readablestorage medium of claim 48, wherein the first signal and the secondsignal each includes a plurality of carriers, wherein at least some ofthe plurality of carriers are modulated according to estimatedcharacteristics associated with respective carriers.
 55. Thenon-transitory machine-readable storage medium of claim 48, wherein saidoperation of determining the first estimated characteristic comprises:receiving modulation information from the second node based, at least inpart, on the first estimated characteristic; and determining the firstestimated characteristic at the first node based, at least in part, onthe modulation information.
 56. The non-transitory machine-readablestorage medium of claim 55, wherein the first estimated characteristiccomprises: an estimate of a signal-to-noise ratio associated with the atleast one initial signal transmitted from the first node to the secondnode; or an estimate of a bit error rate associated with the at leastone initial signal transmitted from the first node to the second node.57. The non-transitory machine-readable storage medium of claim 55,wherein the modulation information is transmitted from the second nodeto the first node, in response to the second node determining the firstestimated characteristic based, at least in part, on the at least oneinitial signal transmitted from the first node to the second node. 58.The non-transitory machine-readable storage medium of claim 55, whereinthe first signal is modulated with the first data sequence based, atleast in part, on the modulation information received from the secondnode.
 59. The non-transitory machine-readable storage medium of claim55, wherein the modulation information includes a forward errorcorrection code rate or a guard interval length between modulatedsymbols.
 60. The non-transitory machine-readable storage medium of claim48, wherein the communication channel includes a path between the firstnode and the second node over a shared medium.
 61. The non-transitorymachine-readable storage medium of claim 48, wherein the operationsfurther comprise: transmitting a third signal from the first node to thesecond node, wherein at least a portion of the third signal is modulatedwith a third data sequence derived, at least in part, from at least theportion of the first data sequence and at least the portion of thesecond data sequence; wherein said determining the shared informationcomprises determining the shared information at the first node based, atleast in part, on at least a portion of the third data sequence.
 62. Andevice comprising: a network interface including a transmitter and areceiver; the receiver configured to receive signals from acommunication medium; and the transmitter coupled with the receiver andconfigured to: determine a first estimated characteristic of acommunication channel between a first node and a second node based, atleast in part, on at least one initial signal transmitted from the firstnode to the second node, wherein the device is associated with the firstnode; transmit a first signal to the second node, wherein at least aportion of the first signal is modulated with a first data sequencegenerated at the first node according to the first estimatedcharacteristic; receive a second signal from the second node, wherein atleast a portion of the second signal is modulated with a second datasequence generated at the second node according to a second estimatedcharacteristic of the communication channel, wherein the secondestimated characteristic is determined based, at least in part, on atleast one initial signal transmitted from the second node to the firstnode; and determine shared information based, at least in part, on atleast a portion of the first data sequence and at least a portion of thesecond data sequence.
 63. The device of claim 62, wherein the first datasequence is randomly generated by the device associated with the firstnode, and the second data sequence is randomly generated at the secondnode.
 64. The device of claim 62, wherein the transmitter configured totransmit the first signal comprises the transmitter configured totransmit the first signal from the first node to the second node, inresponse to determining that a previously transmitted signal was notacknowledged by the second node, wherein the first signal and thepreviously transmitted signal are each modulated with a different datasequence according to the first estimated characteristic.
 65. The deviceof claim 62, wherein the transmitter configured to determine the sharedinformation comprises the transmitter configured to: perform apredetermined function on the portion of the first data sequence toyield a first result; perform the predetermined function on the portionof the second data sequence to yield a second result; and combine thefirst result and the second result to yield the shared information. 66.The device of claim 62, wherein the transmitter configured to determinethe shared information comprises the transmitter configured to: combinethe portion of the first data sequence and the portion of the seconddata sequence to yield a combined sequence; and perform a predeterminedfunction on the combined sequence to yield the shared information. 67.The device of claim 62, wherein the transmitter configured to determinethe first estimated characteristic comprises the transmitter configuredto estimate characteristics associated with a plurality of carriershaving different carrier frequencies associated with the communicationchannel.
 68. The device of claim 62, wherein the first signal and thesecond signal each includes a plurality of carriers, wherein at leastsome of the plurality of carriers are modulated according to estimatedcharacteristics associated with respective carriers.
 69. The device ofclaim 62, wherein the transmitter configured to determine the firstestimated characteristic comprises the transmitter configured to:receive modulation information from the second node based, at least inpart, on the first estimated characteristic; and determine the firstestimated characteristic at the first node based, at least in part, onthe modulation information.
 70. The device of claim 69, wherein thefirst estimated characteristic comprises: an estimate of asignal-to-noise ratio associated with the at least one initial signaltransmitted from the first node to the second node; or an estimate of abit error rate associated with the at least one initial signaltransmitted from the first node to the second node.
 71. The device ofclaim 69, wherein the modulation information is transmitted from thesecond node to the first node, in response to the second nodedetermining the first estimated characteristic based, at least in part,on the at least one initial signal transmitted from the first node tothe second node.
 72. The device of claim 69, wherein the first signal ismodulated with the first data sequence based, at least in part, on themodulation information received from the second node.
 73. The device ofclaim 69, wherein the modulation information includes a forward errorcorrection code rate or a guard interval length between modulatedsymbols.
 74. The device of claim 62, wherein the communication channelincludes a path between the first node and the second node over a sharedmedium.
 75. The device of claim 62, wherein the transmitter is furtherconfigured to: transmit a third signal from the first node to the secondnode, wherein at least a portion of the third signal is modulated with athird data sequence derived, at least in part from at least the portionof the first data sequence and at least the portion of the second datasequence; wherein the transmitter configured to determine the sharedinformation comprises the transmitter configured to determine the sharedinformation based, at least in part, on at least a portion of the thirddata sequence.